Skip to content

Commit

Permalink
macOS code signing and notarization (#146)
Browse files Browse the repository at this point in the history
* Set-up the codesign identity for releases
* Notarize the universal binary on macOS
  • Loading branch information
matiaskorhonen authored Aug 14, 2024
1 parent 3cef668 commit a3975f2
Showing 1 changed file with 61 additions and 3 deletions.
64 changes: 61 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,48 @@ jobs:
if: ${{ matrix.target == 'universal-apple-darwin' }}
run: |
echo "include_docs=target/aarch64-apple-darwin/release/man,target/aarch64-apple-darwin/release/completion" >> $GITHUB_ENV
- name: Install the Apple certificate, provisioning profile, and API key (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
id: keychain
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# create auth key file for notarization
echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH
# setup outputs
echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT
echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT
echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT
- name: Include documentation files variable (windows)
if: ${{ matrix.target == 'x86_64-pc-windows-msvc' }}
run: |
Expand All @@ -64,7 +106,7 @@ jobs:
run: |
echo "include_docs=target/${{ matrix.target }}/release/man,target/${{ matrix.target }}/release/completion" >> $GITHUB_ENV
- id: upload-rust-binary-action
uses: taiki-e/upload-rust-binary-action@v1.21.1
uses: taiki-e/upload-rust-binary-action@v1.22.0
with:
# (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload.
# Note that glob pattern is not supported yet.
Expand All @@ -77,8 +119,24 @@ jobs:
include: README.md,LICENSE.txt,src/assets/fonts/IBMPlexMono-LICENSE.txt,${{ env.include_docs }}
# (required) GitHub token for uploading assets to GitHub Releases.
token: ${{ secrets.GITHUB_TOKEN }}
# Sign build products using codesign on macOS (using an ad-hoc developer identity)
codesign: '-'
# Sign build products using codesign on macOS
codesign: '7FP48PW9TN'
codesign-prefix: 'fi.matiaskorhonen.'
codesign-options: 'runtime'
- name: Zip the binary for notarization (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
run: zip -r $RUNNER_TEMP/paper-age-signed.zip paper-age/target/universal-apple-darwin/release/paper-age
- name: Upload the binary for notarization (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
env:
KEY_ID: ${{ secrets.KEY_ID }}
ISSUER: ${{ secrets.ISSUER }}
run: |
xcrun notarytool submit $RUNNER_TEMP/paper-age-signed.zip \
--key "${{ steps.keychain.outputs.auth_key_path }}" \
--key-id "$KEY_ID" \
--issuer "$ISSUER" \
--wait
- uses: actions/attest-build-provenance@v1
with:
subject-path: "${{ steps.upload-rust-binary-action.outputs.archive }}.*"
Expand Down

0 comments on commit a3975f2

Please sign in to comment.